The group employs a custom ShadowPad IIS Listener module to transform compromised servers into a resilient, distributed relay network.
This approach allows attackers to route malicious traffic through victim infrastructure, effectively turning hacked organizations into a mesh of command-and-control nodes.
The operation begins by exploiting long-standing vulnerabilities, specifically ASP.NET ViewState deserialization and SharePoint flaws such as ToolShell.
By leveraging leaked machine keys or unpatched endpoints, attackers achieve remote code execution, leading to full-system compromise.
Once established, the malware creates a covert channel that blends seamlessly with legitimate web traffic, making detection exceptionally difficult for network defenders monitoring standard protocols.
Check Point analysts identified this evolving threat cluster, noting that the group—also known as Earth Alux or REF7707—has significantly refined its tradecraft.
The researchers observed that Ink Dragon does not merely use victims for data theft but actively repurposes them to support ongoing operations against other targets.
.webp "Chinese Hackers Using Custom ShadowPad IIS Listener Module to Turn Compromised Servers into Active Nodes 3")
This creates a self-sustaining infrastructure that obscures the true origin of the attacks while maximizing the utility of every compromised asset.
This modular architecture grants the attackers persistent access and the ability to pivot laterally across networks.
Using native IIS capabilities to intercept and relay communications ensures that command traffic remains hidden within standard HTTP streams.
This strategic reuse of compromised assets highlights a mature operational philosophy focused on long-term stealth, resilience, and the continuous expansion of their operational reach.
The ShadowPad IIS Listener Mechanism
The core of this campaign is a custom IIS module that operates differently from traditional backdoors.
Instead of simply opening a port, it uses the HttpAddUrl API to register dynamic URL listeners that intercept specific HTTP requests.
When a request matches the configured pattern, the module decrypts the payload to determine if it is a command.
If the traffic does not match the proprietary protocol, the module forwards it to the legitimate IIS worker, which serves normal web content to avoid raising suspicion.
This stealthy interception allows the implant to coexist with legitimate applications without disrupting service availability.
.webp "Chinese Hackers Using Custom ShadowPad IIS Listener Module to Turn Compromised Servers into Active Nodes 4")
The module utilizes a specific decryption routine to handle initial packets, ensuring that only authorized operator traffic is processed.
def decrypt_first_packet(buf: bytearray, seed: int, length: int):
count = length - 2
seed_lo = buf[0]
seed_hi = buf[1]
num = (seed_hi << 8) | seed_lo
num &= 0xFFFFFFFF
pos = 2
for _ in range(count):
hi = (num >> 16) & 0xFFFF
num = (hi * 0x7093915D - num * 0x6EA30000 + 0x06B0F0E3) & 0xFFFFFFFF
buf[pos] ^= num & 0xFF
pos += 1
return bufBy maintaining separate lists for server and client nodes, the malware automatically pairs connections to relay data between them.
This enables the attackers to bridge communications across unrelated victim networks, complicating attribution and remediation efforts.
This relay logic is supported by granular debug logging, which documents byte transfers and helps analysts map the broader communication graph.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
